Network Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Information Security 1 What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer Information Security 2 What is a Firewall ? A firewall : Internet ◦ Acts as a security gateway between two networks ◦ Tracks and controls network communications Decides whether to pass, reject, encrypt, or log communications (Access Control) “Allow traffic Traffic “Block to Internet” from Internet” Corporate Site 3 Information Security Hardware vs. Software Firewalls Hardware Firewalls ◦ Protect an entire network ◦ Implemented on the router level ◦ Usually more expensive, harder to configure Software Firewalls ◦ Protect a single computer ◦ Usually less expensive, easier to configure Information Security 4 Evolution of Firewalls Stateful Inspection Application Proxy Packet Filter Stage of Evolution Information Security 5 Packet Filter Packets examined at the network layer Useful “first line” of defense - commonly deployed on routers Simple accept or reject decision model No awareness of higher protocol layers Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical Information Security 6 Packet Filter Simplest of components Uses transport-layer information only ◦ IP Source Address, Destination Address ◦ Protocol/Next Header (TCP, UDP, ICMP, etc) ◦ TCP or UDP source & destination ports ◦ TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ◦ ICMP message type Examples ◦ DNS uses port 53 No incoming port 53 packets except known trusted servers Information Security 7 How to Configure a Packet Filter Start with a security policy Specify allowable packets in terms of logical expressions on packet fields Rewrite expressions in syntax supported by your vendor General rules - least privilege ◦ All that is not expressly permitted is prohibited ◦ If you do not need it, eliminate it Information Security 8 Packet Filter Configuration - 1 Every ruleset is followed by an implicit rule reading like this. action src block * port dest port flags * * * * comment default Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some particular site SPIGOT is to be blocked. Information Security 9 Packet Filter Configuration - 2 action src port dest por t flags comment block SPIGOT * * * * We don’t trust these site allow * * OUR-GW 25 * Connection to our SMTP port Example 2: Now suppose that we want to implement the policy “any inside host can send mail to the outside”. Information Security 10 Packet Filter Configuration - 3 action src allow port dest * * * por t flags 25 * comment Connection to outside SMTP port This solution allows calls from any port on an inside machine, and will direct them to port 25 on an outside machine. So why is it wrong? Information Security 11 Packet Filter Configuration - 4 Our defined restriction is based solely on the destination’s port number. With this rule, an enemy can access any internal machines on port 25 from an outside machine. What can be a better solution ? Information Security 12 Packet Filter Configuration - 5 action src port dest por t flags * allow {our hosts} * * 25 allow * 25 * * comment Connection to outside SMTP port ACK SMTP replies The first rule restricts that only inside machines can access to outside machines on port 25. In second rule, the ACK signifies that the packet is part of an ongoing conversation. ◦ Packets without ACK are connection establishment messages, which are only permited from internal hosts by the first rule. ◦ With the second rule, outside hosts can send back packets to inside hosts on port 25. Information Security 13 Application Gateway or Proxy Packets examined at the application layer Application/Content filtering possible - prevent FTP “put” commands, for example Modest performance Scalability limited Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical Information Security 14 Stateful Inspection Packets Inspected between data link layer and network layer in the OS kernel State tables are created to maintain connection context Invented by Check Point Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network Data Link Data Link Data Link Physical Physical Physical INSPECT Engine Information Security Dynamic StateDynamic Tables StateDynamic Tables State Tables 15 Network Address Translation (NAT) 192.172.1.1-192.172.1.254 Internal IP Addresses Corporate LAN 219.22.165.1 Internet Public IP Address(es) Converts a network’s illegal IP addresses to legal or public IP addresses ◦ Hides the true addresses of individual hosts, protecting them from attack ◦ Allows more devices to be connected to the network Information Security 16 Firewall Deployment Corporate Network Gateway Internal Segment Gateway Internet Public Servers Demilitarized Zone (Publicly-accessible servers) ◦ Protect sensitive segments (Finance, HR, Product Development) ◦ Provide second layer of defense ◦ Ensure protection against internal attacks and misuse Human Resources Network Internal Segment Gateway Corporate Site Information Security 17 What is a VPN? Acme Corp Acme Site Corp 1 A VPN is a private connection over an open network A VPN includes authentication and encryption to protect data integrity and confidentiality VPN Internet VPN Acme Corp Site 2 Information Security 18 Types of VPNs Remote Access VPN ◦ Provides access to internal corporate network over the Internet ◦ Reduces long distance, modem bank, and technical support costs ◦ PAP,CHAP,RADIUS Information Security Corporate Site Internet 19 Types of VPNs Corporate Site Remote Access VPN Site-to-Site VPN ◦ Connects multiple offices over Internet ◦ Reduces dependencies on frame relay and leased lines Internet Branch Office Information Security 20 Types of VPNs Corporate Site Remote Access VPN Site-to-Site VPN Extranet VPN ◦ Provides business partners access to critical information (leads, sales tools, etc) ◦ Reduces transaction and operational costs Internet Partner #2 Partner #1 Information Security 21 Types of VPNs Remote Access VPN Database Server Site-to-Site VPN Extranet VPN Client/Server VPN LAN clients Internet ◦ Protects sensitive internal communications LAN clients with sensitive data Information Security 22 Overview of IDS/IPS Intrusion ◦ A set of actions aimed at compromising the security goals (confidentiality, integrity, availability of a computing/networking resource) Intrusion detection ◦ The process of identifying and responding to intrusion activities Intrusion prevention ◦ The process of both detecting intrusion activities and managing responsive actions throughout the network. Information Security 23 Overview of IDS/IPS Intrusion detection system (IDS) ◦ A system that performs automatically the process of intrusion detection. Intrusion prevention system (IPS) ◦ A system that has an ambition to both detect intrusions and manage responsive actions. ◦ Technically, an IPS contains an IDS and combines it with preventive measures (firewall, antivirus, vulnerability assessment) that are often implemented in hardware. Information Security 24 Components of Intrusion Detection System system activities are observable Audit Records Audit Data Preprocessor Activity Data Detection Models Detection Engine Alarms Decision Table Information Security Decision Engine normal and intrusive activities have distinct evidence Action/Report 25 Intrusion Detection Approaches Modeling ◦ Features: evidences extracted from audit data ◦ Analysis approach: piecing the evidences together Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based) Deployment: Network-based or Host-based ◦ Network based: monitor network traffic ◦ Host based: monitor computer processes Information Security 26 Security Information and Event Management (SIEM) LMS - “Log Management System” – a system that collects and store Log Files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. SLM /SEM– “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. SIM – “Security Information Management” - an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. SEC - “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. SIEM – “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We’ll use the term SIEM for the rest of this presentation Information Security 27 Background on Network Components Router Switch (L2 & L3) Servers (Application, Database, etc.) Firewall Demilitarized Zone (DMZ) Virtual Private Network IPS/IDS 28 Defense in Depth 29 Typical Corporate Environment 30 Log Management Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). LM covers log collection, centralized aggregation, long-term retention, log analysis (in real-time and in bulk after storage) as well as log search and reporting. 31 Log Management 32 Log Management Challenges Analyzing Logs for Relevant Security Intelligence Centralizing Log Collection Meeting IT Compliance Requirements Conducting Effective Root Cause Analysis Making Log Data More Meaningful Tracking Suspicious User Behavior 33 Introduction to SIEM The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005. Describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). 34 Key Objectives Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence 35 SIEM vs LM Functionality Log collection Security Information and Event Log Management Management (SIEM) (LM) Log preprocessing Collect security relevant logs + context data Parsing, normalization, categorization, enrichment Collect all logs Indexing, parsing or none Log retention Retail parsed and normalized data Retain raw log data Reporting Analysis Security focused reporting Correlation, threat scoring, event prioritization Broad use reporting Full text analysis, tagging Alerting and notification Advanced security focused reporting Simple alerting on all logs Other features Incident management, analyst workflow, context analysis, etc. High scalability of collection and storage 36 A SIEM Scenario SIEM Process Flow Data Collection Extract Intelligent Information Add Value Presentation Dashboards & Reports 38 Typical Working of an SIEM Solution 39 SIEM Architecture System Inputs Event Data Operating Systems Applications Devices Databases Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence SIEM Data Collection Normalization Correlation Logic/Rules Aggregation System Outputs Analysis Reports Real Time Monitoring 40 Typical Features of SIEM 41 Context 42 Adding Context Examples of context ◦ Add geo-location information ◦ Get information from DNS servers ◦ Get User details (Full Name, Job Title & Description) Add context aids in identifying ◦ Access from foreign locations ◦ Suspect data transfer 43 How a Log File is Generated in your Network The Beauty of Log Correlation Log Correlation is the difference between: “14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22” and… “An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office” Why is SIEM Necessary? Rise in data breaches due to internal and external threats Attackers are smart and traditional security tools just don’t suffice Mitigate sophisticated cyber-attacks Manage increasing volumes of logs from multiple sources Meet stringent compliance requirements 46